In a statement published on the Securities and Exchange Commission’s website yesterday, SEC Chairman Jay Clayton revealed that the Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system was compromised last year. Data from EDGAR, which is used to receive and publish corporate filings to the agency, “may have provided the basis for illicit gain through trading,” Clayton said. “Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems.” The revelations were part of a statement by Clayton on the SEC’s overall cybersecurity posture and policy.
This is not the first time the SEC has exposed financial data. In 2014, an audit from the SEC’s inspector general found that hundreds of agency laptops could not be accounted for, and many of them may have contained non-public financial market data. But the 2016 breach was the result of a deliberate attack aimed at accessing the EDGAR filing system.
EDGAR is the system that accepts electronic filings of statements from corporations regarding their finances and events or activities that might have an impact on their business. The system also allows the public—including investors and researchers—to access those filings. EDGAR amounts to a huge content management and workflow system, containing data on all manner of publicly traded stocks, bonds, and other securities. It’s intended to ensure that all parties have access to the same information at the same time to minimize the ability of some to take advantage of the release of advance financial information.
If revealed early, corporate earnings and other reports could be used to execute trades that take advantage of the expected impact of the news—buying stock before positive news or “shorting” stock before negative news. The data filed to the SEC often includes non-public “draft” versions of corporate filings, and the SEC also maintains a Consolidated Audit Trail (CAT) that could be used to determine patterns in trading.
While the “incident” had been detected when it occurred in 2016, an internal audit ordered by Chairman Clayton discovered this August that nonpublic information was disclosed that could have been used by someone to gain an advantage in stock transactions. The breach was made possible by a software vulnerability in a test version of EDGAR’s filing system. An attacker exploited that vulnerability to gain access to live data. The software was patched after the incident, Clayton said. He added, “We believe the intrusion did not result in an unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
The SEC has also been dealing with attempts to seed EDGAR with bad data to affect financial markets. “Our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements,” Clayton revealed.
The SEC did not discuss why a test system was connected to live SEC data and accessible to the public. But Clayton acknowledged that the SEC had a great deal of work to do in improving the Commission’s overall security posture. “Cybersecurity is critical to the operations of our markets, and the risks are significant and, in many cases, systemic,” said Clayton. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions and that a key component of cyber risk management is resilience and recovery.”